A newly discovered piece of malware for Android raises the bar in terms of sophistication and flexibility, offering its operator adaptability to various tasks.
Cybercriminals are currently running tests on GPlayed but malware analysts warn that it is already shaping up as a serious threat.
The modular architecture extends its functionality through plugins that can be added without the need to recompile and update the package on the device.
Wide range of features
The operator can also inject scripts and send .NET code to the infected Android that GPlayed can compile and execute. it is built using the Xamarin environment for mobile apps and uses a DLL called “eCommon” that “contains support code and structures that are platform independent.”
This model shows a new step on the evolution ladder, where code can migrate from desktop platforms to mobile ones, resulting in a hybrid threat.
It disguises itself on the device as the Play Store app, using an icon very similar to the original and the name “Google Play Marketplace.” It asks for many permissions, including “BIND_DEVICE_ADMIN,” which gives it almost complete control over the infected device.
Researchers at Cisco Talos analyzed GPlayed and discovered a hefty set of native capabilities covering spying, data exfiltration, and self-management functions.
Aside from the regular features for stealing messages and contacts, making calls and sending SMS, the trojan can also display USSD messages, start applications, wipe the device, add and remove web injects, collect payment card information and setting a new lock password.
“This is a full-fledged trojan with capabilities ranging from those of a banking trojan to a full spying trojan. This means that the malware can do anything from harvest the user’s banking credentials, to monitoring the device’s location,” the researchers say in a report today.
Trojan check payment info before grabbing it
Once on the Android device, GPlayed starts different timers for initiating various tasks: pinging the command and control (C2) server, enabling WiFi if it is turned off, register the device to the C2 server.
Its activity starts by delivering phone information to the attacker’s server, such as model, IMEI, country, or the Android version running.
GPlay will try to gain more privileges by requesting admin rights and demanding access to the device settings. This is a potential red flag for users.
Collecting payment information is done by opening a fake Google Payment web page asking for a sum of money predefined by the attacker in order to use Google Services. The credit information is verified online before sending it to the C2.
According to Talos analysts, the version of GPlayed they saw targeted Russian speaking users, but it could be easily modified for a different language.
Its modularity makes it difficult to create a profile and removes restrictions to specific malicious activities. As such, it can be used as a banking trojan or ransomware just as easily.